NOTE: A similar information security community effort is under active development at the U.S. Institute of Standards and Technology (NIST).
Visit http://scap.nist.gov/specifications/asr/ for additional information.
We encourage members of the information security community to participate by offering feedback on the current draft of the ASR specification.
ASR Whitepaper (PDF, 88 KB)
ASR Schemas and Documentation (Zip, 866 KB)
Assessment Summary Results (ASR) is an open specification that provides a structured language for exchanging summarized assessment results data between assessment tools, asset databases, and other products that manage asset information. It is intended to be used by tools that collect detailed configuration data about IT assets, especially products that leverage specifications contained in the National Institute for Standards and Technology's (NIST) Security Content Automation Protocol (SCAP).
ASR is the multi-device results reporting specification in a suite of specifications that enables the reporting of assessments of IT assets in an enterprise environment, known collectively as security automation interfaces. Assessment Results Format (ARF) is the per-device assessment results format and the Policy Language for Assessment Results Reporting (PLARR) request language in the suite. The security automation interfaces specifications describe an end-to-end process for delivering assessment content to data stores, requesting assessments against that content, reporting on the results of those assessments, and aggregating assessment results to an enterprise level.
ASR is being developed by the Computer Network Defense Research and Technology Program Management Office, which has proposed its inclusion as an Emerging SCAP Specification. MITRE is soliciting feedback on ASR from the security automation community and will be working with the CND R&T PMO and NIST to incorporate that feedback into upcoming versions of ASR.